UKAS-accredited
Feefo Feefo Star Feefo Star Feefo Star Feefo Star Feefo Star
Get a quote

Which Are the Best User Authentication Measures and Why?

  • Cybersecurity

With billions of fraudulent login attempts being attempted every month it’s critical for organisations to do everything possible to avoid becoming a victim. Yet it can be as simple as using basic multi-factor authentication techniques to protect against 99.9% of hacks.

In 2016, US standards body NIST made an important announcement with implications for the many organisations using two-factor(2FA) authentication. The key statement appeared in section 5.1.3.2:

“Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators.”

Although out-of-band SMS 2FA was predominantly a technology used by consumers, many businesses also relied upon it. At a stroke, the official guidance on best practice said it was no longer secure enough without re-verifying the telephone number used. The move wasn’t a complete surprise. SMS authentication had been under attack from a variety of hacks such as SIM swap fraud and mobile phishing for some years.

SMS authentication had an obvious weakness – the mobile device and service  – but even supposedly bullet-proof methods can suffer unexpected weaknesses. The most notorious example of this is what happened to RSA’s SecureID token system in 2011. This generated a unique user code every 30 or 60 seconds allowing the holder to log in with a very high degree of certainty that the user was in possession of the token. Each token was tied to one account and never connected to the network. The codes it generated were unique to that user which meant it was immune to most compromises.

Unfortunately, attackers had compromised RSA’s network, locating the server used to store the seed values used to create the codes, undermining the entire system. Hundreds of organisations using SecureID are believed to have been compromised as a result of that incident which left RSA having to replace 40 million tokens.

Two-factor Authentication boom

These examples illustrate a simple truth about adding a second factor to passwords – while any option is more secure than a password and username alone, all have their weaknesses. Authentication is a lot more secure, but it is not a magic shield.

Ironically, a decade on from the RSA hack and the biggest issue for authentication is not how secure it is.  Far from it – authentication has learned from these incidents and is booming. There have never been so many forms of authentication to choose from to the extent that it can become a bit overwhelming. Today, the bigger barriers to adoption concern two related issues, namely usability (for end-users and consumers) and complexity and expense (for businesses).

If authentication is too complex or slow to interact with, it will become a hindrance nobody wants to use. At the same time, if it becomes too difficult to manage, it will become an expense that businesses are reluctant to deploy.  This might sound obvious but it’s worth re-stating – the reason why the tech sector keeps inventing new forms of authentication is the search for the perfect balance of security with usability and management.  In some recent examples, the intention of authentication is not to operate as an additional factor for passwords but to replace them altogether with a completely new mechanism.

Authentication is often divided up by technology – biometrics, tokens, one-time passwords – but a more revealing approach is to categorise it according to context and intent.

User authentication – medium security

Time-based one-time passcodes (TOTP) involve generating a single six-digit code that must be used within 30 seconds, usually from a smartphone app.  This is a more secure variation of SMS one-time codes because codes are generated locally rather than sent across an insecure network, this offers a good balance of medium security with cheapness and ease of use.

Admin authentication – high security

FIDO U2F is a Google-backed standard for cheap hardware tokens that is highly secure because the secret codes can’t be phished, intercepted or subverted by malware. The tokens also only work with linked sites. U2F works across all platforms and supports a range of protocols depending on the implementation. The disadvantage is the expense of buying and managing physical keys.

Proprietary authentication – diverse security

Proprietary approaches to authentication include platforms such as Windows Hello and Apple’s FaceID/TouchID. The former is simply a platform designed to let Windows users authenticate in one of several ways (biometrics or via U2F tokens) without having to use a password at all. Apple’s TouchID is just a biometric implementation of the same idea. The advantage of Hello is it will work with a range of technologies but only for Windows/Active Directory environments.

Authentication standards – authentication without passwords

A big development in authentication has been the emergence of broader standards that work across technologies. A good example is WebAuthn, an API that makes it easier to integrate a range of authentication technologies at the web services/browser level. Essentially, this provides a simple standard everyone can use rather than having to use fragmented, proprietary standards.

Another approach is push notification, which effectively turns the mobile device into a form of authenticated token. When logging in the user is sent a request to confirm or deny the authentication attempt. However, this requires the phone to be authenticated first by installing an app or as part of a platform such as Android or iOS.

Single sign-on (SSO)

Because businesses often have multiple applications, each with its own credentials and authentication, single sign-on integrates all of these under a single authentication mechanism. Works well as a global service while creating (in theory) a single point of service failure. SSO doesn’t integrate every credential, for instance for devices, VPNs and Wi-Fi.

In Conclusion

Authentication was previously seen as an optional extra for additional security. Increasingly, its use is becoming a standard part of accessing anything and everything. As this has expanded, however, the issue of simplicity has surfaced. For businesses, you end up with several solutions to the same problem, each one useful within a specific context. One response is to ramp up security, for example by mandating high secure user tokens. Another is to get rid of passwords as far as possible, reducing authentication to a single layer of security.

Lurking over all discussions of authentication is the role of passwords. Unfortunately, for a variety of reasons including legacy technology and familiarity, these are not going to disappear quickly. What nobody has yet managed to do is come up with an authentication technology that’s as cheap and easy to use (or, more often, misuse) as the password.

Back to all articles
profile image of John Dunn
Written by John Dunn

John is a journalist and editor who has been covering the IT industry for over 30 years. He specialises in cybersecurity, mobile, cloud, open source, and networking. His work has appeared in a number of popular tech titles, including Personal Computer Magazine, Network World, and LAN Magazine. He helped to co-found Techworld in 2003, and he regularly writes for The Register, Which Computing, and Forbes. He’s been interviewed on BBC TV and radio, and on CBC in Canada. He tweets about cybersecurity and privacy issues.

Share

Cookies policy

Please review your cookie preference options before continuing.